He is an internationally recognized authority on computer crime, information
security, industrial espionage and related subjects. He is the Editorial
Director of the Computer Security Institute (CSI), San Francisco, CA., and the
author of Tangled web: Tales of Digital Crime from the Shadows of
Cyberspace. (Que, 2000)

How difficult is it to quantify the effects of cyber criminal
activity?

Quantifying financial losses from cyber attacks is one of our major problems.
Really, you're still doing "guesstimates." Sometimes you'll see tens of
thousands, and hundreds of thousands of dollars lost in an attack, and that's
mostly the cost of clean-up and investigation. But the real costs are the soft
costs--lost business opportunities. If you're conducting e-business and you're
counting on $600,000 an hour in revenue, like Amazon, and your service is
disrupted by a denial of service attack, you can start with the figure $600,000
for every hour that you're down. If you're Cisco and you're making $7 million a
day online, and you're down for a day, you've lost $7 million. That's where you
start. . . .
There were estimates that the "Love Bug" virus did damage in the billions
and billions of dollars. That scale leaves most people saying, "That's beyond
any kind of comprehension."

Right. It staggers the imagination, and there's a tendency to disbelieve
that four lines of code literally cost $80 million, or $10 billion in damages.
But if you think about it in terms of a 24/7 global corporation, a Fortune 500
corporation, there's a little meter inside it, ticking all the time. . . . A
Fortune 50 corporation was hit by the "Melissa" virus when it came out,
and their own internal tabulation was that they lost $10 million. When you ask
them how they lost it, it was lost productivity, lost network operation time.
All of this is factored into their budgets. They have a dollar sign attached to
each minute of network time, and when you disrupt that minute of network time,
you cost that much money.

And every serious corporation values their information. This trade secret is
worth X amount of money. If that trade secret is compromised online, or through
some kind of hacking, insider or outsider, then that much money is lost.
Why do so many of these people insist on suffering in silence, instead
making a big noise about the amount of the losses because of this kind of
activity?

They're very afraid. . . . There are all kinds of reasons they want to keep it
quiet. When there's blood in the water, the sharks get excited, and there are
all kinds of sharks--not just hackers. There are civil liability lawyers,
government regulators, stockholders, people who are looking at your company for
hostile takeovers--all kinds of reasons not to draw attention to your
vulnerabilities in cyberspace.
If the victims are opting to keep it quiet for their own proprietary
reasons, how much will this delay the ability of society or of this new
security industry to deal with the real problems out there?

They're banking on the hunch that their profits will still outweigh the
losses--that they'll be able to absorb it and things will go on quietly. But I
don't think that that's going to be the case. And they are thwarting the
progress of a secure internet, of a secure global cyberspace, because law
enforcement, globally--not only in the United States and Canada--but law
enforcement in other countries has come a long way. . . . They've gotten up to
speed on tracking down, arresting, trying, and convicting cyber criminals. But
corporations are way behind on building their own cyber fences, and committing
the resources in staffing and money needed to defend their own systems.
How should we view this new private information technology security
industry?

Law enforcement's role has never been to secure your business. Law enforcement
isn't expected to put in your sprinkler system or your burglar alarm, or to
make sure your doors are locked at night. Their job is to respond to your call
when there's been a crime committed against you or your property. It's the
fiduciary responsibility of those corporations to defend themselves and their
customers and their clients against cyber attack. . . .
But there's a kind of a contrast here. On the one hand, you have the victims
of cyber crime trying to say that they'll look after it. On the other hand, you
see the elements of this new industry scaring the hell out of everybody, saying
things like, "Osama bin Laden is going to get you, the hackers are going to get
you, the sky is falling." Where does the truth lie in between this sort of
self-interested silence and this self-interested racket?

Well, there's the zone of responsibility in there. It's not that easy to find,
and you've articulated the problem really well, because you have a bunch of
people running around saying, "The sky is falling. The sky is falling. Give us
your money, and we'll keep it up for you." And then you have another group of
people running around saying, "This guy's crying wolf. There's no problem here.
Your credit card is safe over the internet." . . . There's been a kind of a
shift in the security industry over the last few years, and you see a lot of
people thinking about cashing in with their own IPOs, and their own dotcom
security companies, and making a fortune off the danger to other people's
fortune. . . .
Not so long ago, when you wanted to talk about security of corporations, the
security of software, people like Microsoft would say, "We're not talking."
Now, not only are they talking, but they're telling us that they're really
doing something about it. How comforted can we be by the reassurances that
we're getting from them now?

Well, that's a loaded question. Windows NT came out a few years ago. It was
heralded as the secure operating system. And the hackers had a few good whacks
at that tree, and fruit started falling off it right away. And now there are
hundreds of vulnerabilities for NT. In fact, the hackers joke among themselves
that "NT" stands for "Nice Try." So it's not that simple to slap some marketing
hype on an operating system and say, "This is a secure operating system." It
takes a lot more than that, and they haven't advanced internet security with
their product.
But Microsoft is telling us that now they're taking it a lot more seriously,
that with Windows 2000, security is a deal-breaker. Their security people say,
"If we don't like the security components of Windows 2000, it ain't going out."
Is it secure?

Well, ask that question six months from now, or a year from now. The tree will
be given a few good shakes, and there'll be some fruit fall off it. There'll be
vulnerabilities. There'll be exploits. How those vulnerabilities and exploits
are dealt with is another question.

There's a debate in the security community about what kind of operating system
we should have. NT Windows 2000 is a closed system. You can't look at the
source codes. That means only Microsoft and whatever hackers have succeeded in
stealing it know how good it is. The good guys don't know how good the code is.
The good guys can't look at the code and fix it, and adjust it to their own
needs. With UNIX, for instance, the other major operating system, you can look
at the code, and you can see where it looks like. You can see where the
vulnerabilities are, and you can have your own smart people address that. So
there are fundamentally different approaches there. Most internet security
experts believe you should have an open system, so that everybody sees, and
everybody is on the same playing field.
Whether I'm speaking as a person with just an internet account or somebody
with a business, when the cyber goblin gets me, who should I be mad at? Should
I be mad at the goblin? Should I be mad at the guy who sold me the software?
Should I be mad at the government for not protecting me?

You might start with yourself in terms of how badly you were gouged. If you're
doing your banking online, if you're doing your stock trading online, if you're
buying a house or a car online, you might want to think a little bit about how
you're doing it, why you're doing it, what the consequences are, how to monitor
your online identity. Leave a paper trail for yourself, leave back-ups of your
activity for yourself, check things out, check your credit rating every few
months to see if there's something strange on there. There's a whole range of
activities that you have to now take part in, just like a homeowner has to have
insurance, has to have locks and fire alarms and everything for their house.
You, as a citizen of cyberspace, and somebody doing business out there has to
take some responsibility for your money, and for what's happening.

Beyond that, you have to look at the merchants and the financial institutions
that you're doing business with, and what responsibility they take for what is
going on with your online activity, and the vendors of the software that are
supposedly making it secure for you. . . .
So where does the big burden lie--on me, the user, or on the company that is
selling me the tool?

Well, it's only been in the last few weeks that Visa International has issued a
new set of regulations for the merchants using its credit cards online to
adhere to. And if you look at this set of new regulations, they are the most
fundamental things about internet security: have a firewall in place, have the
latest version of software in place, use encryption for any files that are
accessible from the internet. It's hard to believe that this basic level of
internet security is what is being required of people now. . . . We're already
tens of millions, billions of dollars into e-commerce, aren't we? This is the
second or third Christmas where we're going to be talking about how much is
being spent online. So there's some culpability there. There's some need for a
more serious look. . . .
You've been monitoring crime, probably more specifically than anybody else
that I've talked to. Was there a case that sort of blew your socks off?

In the mid-1990s, there was a rumor about something called BlackNet. And the
rumor was that there were these crackers online who were stealing and selling
information, and you could ask them for whatever you wanted. They could go get
it, email it to you, and it was all done with encrypted accounts and anonymous
remailers, and all very cloak-and-dagger on the Net. Some people said this was
real, some people said it was an FBI sting. Some people said it was a hoax.
BlackNet itself turned out to be a hoax, perpetrated by a bright young
"cyperpunk," as they're called.

But while that urban legend was passing around the internet, there was a real
"BlackNet" operation going on. It was eventually called "Phonemasters"
by the federal investigators. This was a gang of crackers, across the country,
Philadelphia, Santiago, Dallas, and in Canada, Switzerland, and as far away as
Sicily. They were involved in stealing credit card information and reselling
that information. They had a menu of activities they could perform. They had
Madonna's home phone number, they could hack into the FBI's national crime
database. They hacked into a telephone company to find out where the federal
wiretaps were for the Drug Enforcement Administration, beeped the dealers that
were being tapped and said, "Hey, you're being tapped by the DEA." And that
blew drug investigations out of the water. These guys were serious. . . . It
took years to get a conviction and a sentence in that case.

Some of the groundbreaking work was done in terms of tapping data transmissions
and all kinds of stuff, and it took a long time. But that is what we're talking
about when we're talking about financial fraud, about cyber crime on the Net,
the range of things that can happen. And you know, these guys were amateurs in
the sense of criminal activity. So you can imagine what a serious criminal
organization that takes that kind of hacking seriously could do. . . .
What, as a community, is going to happen to make the internet safer?

. . . We have a highway, this internet, this global cyberspace, but we don't
have any yellow lines. We don't have any speed limits. We don't have any
driver's license. We don't have any license plates. We barely have car
insurance. It's not required. You get my analogy. We want this internet, this
global cyberspace, to be completely free, completely open. Everyone does. I do.
But we also want to conduct business there, and we want to relax there, and
have our children be educated there, and seek entertainment there. Those kinds
of activities require law enforcement, require international treaties, and
require responsibility--corporate responsibility and personal responsibility.
So we have a long way to go before cyberspace is as safe, even as safe as the
interstate highways. And, as you know, the highways aren't all that safe. . . .
What have we learned so far from the big attacks that we've experienced to
date?

The Citibank case, where some Russian hackers, notably "Vladimir Lenin"
operating in St. Petersburg in Russia hacked into Citibank in New York. They
succeeded in committing wire fraud, basically, to the extent of $10 million
before they were caught, arrested, tried, convicted and everything else. There
are a lot of lessons in that case. Nobody wants to talk about the Citibank case
much, because the bankers don't want you to think about problems with online
banking and the internet. The dotcom companies don't want you to think about
the consequences of cybercrime. . . . This wasn't even an internet crime. This
was just a dial-in system where you made transactions to and from your account
over the phone. And these systems were compromised early on. I suggest that
that kind of activity on the internet is even easier, not harder. And in fact,
Citibank, in order to deal with those vulnerabilities after the fact,
instituted "smart cards"--cards for the customer to swipe and identify
themselves, similar to an ATM card. My suggestion is, if you're conducting
online banking, and you are using a password and user ID, you are not using
adequate authentication to the network. You are exposing yourself to
vulnerability.
What did we learn from the Martin Luther King Day crash at AT&T?

Well, the Martin Luther King Day telephone crash, back in the early 1990s,
affected the public switch network, the telephone system from coast to coast,
for many hours. There was significant infrastructure collapse. . . . We hear a
lot of talk about information warfare, and the preparation for information
warfare, and the need to build up defenses against infrastructure attacks. And
some of the doubters say, "Well, where is the evidence of infrastructure
attacks?" And no one will talk about it, and maybe there hasn't been one. But
the Martin Luther King Day crash in the early 1990s is an incident that I
understand to be an infrastructure attack, although AT&T only acknowledges
a software glitch. There was never any prosecution, any arrest or prosecution
in the case. There is evidence that it was a single command issued by a hacker
that brought down the public switch network that day. . . .
What is it going to take to make cyberspace a safer place?

I think it will have to do with tort law, civil liability and exposure. And of
course, no one wants to talk about government regulation. But I always point
out to people that when they come into their office in the morning and switch
on their lights and they get electricity, and they pick up their phone and they
get a dial tone, to some extent, like it or not, the availability and the
constancy of those utilities has to do with government regulation. If we are
going to look at the internet as a place to do business, as something as vital
as the phone system, or the power grid, or the air traffic control system
itself, then you have to start looking at what you will require from those who
want to be the bulwarks of that . . . .
Who are the bad guys? Who's the enemy in this new cyber world?

In terms of criminal activity? Well, it ranges from petty theft, really, to
state-sponsored terrorism. And you have everything in between. You have the
cyberspace mugger who's going to steal your personal identity, and destroy your
credit by committing fraud in your name, or stalk your children or your loved
ones online. There are organized crime syndicates that are going to be engaged
in stealing massive numbers of credit cards and selling them and using them for
credit card fraud globally. There are governments and corporate entities,
globally, that want to steal technology: cutting-edge technology, biotech,
high-tech, and low-tech technology. They want to compress the arc of time for
their economies to develop and catch up with the Big Eight economies. And
somewhere out there there's a cyber Unabomber, who is concocting for his own
bizarre motives some really unpleasant event that could impact the lives of
thousands or millions.

And there are the cults. Aum Shinri Kyo is the cult that hacked aggressively
into technology companies to steal technology that they were interested in.
There are the Osama bin Ladens of the world. Some people mock that specter, but
those folks have satellites, they use encryption, and they are on the Net, both
to gather information and to disseminate information, to gather intelligence
and conduct operations. And then, of course, there are governments. What will
happen in the Straits of Taiwan between Taiwan and China, and all the hot spots
in the world, is also taking place in cyberspace. They're looking at ways to
attack each other's digital infrastructure
The problem is a lot more complex then just people with green hair and body
piercing.

Some of the folks with green hair and body piercing are very bright kids who
solve puzzles that people with computer engineering backgrounds can't solve.
But the juvenile hackers and the young hackers get caught, and they end up in
the headlines because they get caught. And the reason they get caught is
that they're not professionals. They are out for the adventure. They are out
for bragging rights. They are out for exploration. The professionals, the
ex-KGB agents, or the ex-CIA agents, the person from German intelligence, or
Israeli intelligence--they're not going to get caught. And when they are
detected, the people who detect them are not going to want to acknowledge that
they've been there.
Groups who are responsible to the public, even corporate groups, seem to be
having a bit more difficulty because of this incredible brain drain from
academia, from the military, and from the public sector. How serious a problem
is that?

It's a big problem. Information security isn't really something that's
inculcated by software engineers as they come out of graduate school. . . . You
could count on the fingers of one hand the academic institutions that are doing
serious research and development in computer security and internet security.
And when those programs develop young people that are really gifted. . . . they
don't stay in academia. . . . They get into the corporate world, and they are
tempted away into the consulting end of things, into the accounting firms, and
the security companies that are wanting to cash in on the threat. And on the
government side, the government will take somebody from the military or law
enforcement, train them on cutting-edge technology and computer forensics, how
to detect and thwart cyber attacks and threats to the infrastructure, and all
these critical issues of online espionage and information warfare. And then
those people get tempted away by those corporate sector salaries, and they
leave public service for the private sector. So there's a brain drain all the
way down the line. . . .
What happened with the Aum Shinri Kyo incident?

The important point that the story of the Aum cult brings home is the
plausibility of the cyber terrorist threat. We may never see a cyber attack,
but it would be irresponsible for those who are entrusted with national
security to not consider the consequences. For example, if someone had said
before it happened that a small New Age cult would launch a Sarin gas attack on
the Tokyo subway system to spur some Armageddon that would somehow leave their
cult leader in charge of the world, you would think it was implausible. But it
happened.

And the Aum cult was not only was preparing for chemical warfare and other
kinds of warfare. They were actively engaging in hacking into Japanese
corporations and other entities around the world to gain technology they
wanted--laser technology, for instance--because they wanted to build their own
laser guns. And they, in fact, targeted and were recruiting software engineers
and scientists and bright young people who had skills that they wanted. And
they did drive up to the gates of Mitsubishi in the middle of the night, break
in, get into the main computers, and hack into those computers to get trade
secrets, proprietary information.

It's not difficult to surmise that they involved themselves in other hacking
capers. But even this year, years after the Sarin gas attack . . . it turns out
that a front organization that is controlled by the Aum cult was the contractor
that developed software for 90 Japanese government agencies, including the
Japanese police and elements of the Japanese Defense Department. And literally
a day before this software was to be deployed, somebody put two and two
together, and blew the whistle, and said, "Wait a minute. Look who developed
this software." Now, was there anything funny in the code? We'll probably never
know. But the danger of it is astounding, and the plausibility. You wouldn't
believe it if I had told you, "A cult could be writing software that could be
downloaded into the police department or the military wing of your government."
People wouldn't believe it. But it almost happened, literally. It was within 24
hours of being deployed in Japan.